[ https://issues.apache.org/jira/browse/AMQ-9388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17785700#comment-17785700 ]
ASF subversion and git services commented on AMQ-9388: ------------------------------------------------------ Commit 3013a3ab35a249b46ed6706d66a35f328ede1885 in activemq's branch refs/heads/main from Christopher L. Shannon (cshannon) [ https://gitbox.apache.org/repos/asf?p=activemq.git;h=3013a3ab3 ] AMQ-9388 - Exclude activemq-client-jakarta from camel-activemq The current version of camel pulls in the activemq-client-jakarta jar which is not necessary as it no longer exists with ActiveMQ 6.0.0 Furthermore the version being pulled in is 5.18.2 which contains a critical CVE that was fixed in 5.18.3 > camel-activemq transitively pulls in activemq-client-jakarta > ------------------------------------------------------------ > > Key: AMQ-9388 > URL: https://issues.apache.org/jira/browse/AMQ-9388 > Project: ActiveMQ > Issue Type: Bug > Components: Broker > Reporter: Christopher L. Shannon > Assignee: Christopher L. Shannon > Priority: Blocker > Fix For: 6.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > While reviewing the 6.0.0 release I noticed that the newly added > {{camel-activemq}} module pulls in {{activemq-client-jakarta}} as a > transitive dependency. This makes sense since the version used is based on > ActiveMQ 5.18.2 as 6.0.0 isn't released yet. > We need to exclude this because with version 6.0.0 this module no longer > exists so is not needed and secondly the 5.18.2 version has a CVE against it. > The dependency in the current release is not included in the tar distribution > but since it is transitively being pulled in with maven if someone has a > dependency on the apache-activemq pom they will have the jar pulled into > their build. -- This message was sent by Atlassian Jira (v8.20.10#820010)